【以下的问题经过翻译处理】 我在我的账户中的“开发人员”角色上应用了一个“poweruseraccess”策略,该角色被多个用户使用。该角色允许访问AWS资源,因此任何具有此角色的人都可以使用KMS中的密钥加密/解密。我想限制特定kms密钥上的加密/解密操作。为此,我在此特定密钥的默认kms策略中添加了一个拒绝部分,如下所示。此项拒绝防止任何主体加密/解密操作,除非他们的用户ID是根(12345)或特定角色AROAADMINROLE(管理员帐户),AROALAMBDAROLE(assumerole)和IAM用户AIDAMYIAMUSER 。尽管存在明确的拒绝部分,但具有开发人员角色的用户仍能够使用该密钥进行加密/解密。请问有人能帮我找出问题所在吗?
类似的策略可用于限制我们的S3存储桶访问。我遵循这篇文章构建策略。https://aws.amazon.com/premiumsupport/knowledge-center/explicit-deny-principal-elements-s3/。下面的策略使用通配符和条件的StringNotLike来实现相同的原理。
** KMS策略 **
{
"Id": "my-key-consolepolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345:user/my_iam_user"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "ExplicitDenyEncryptDecryptAccess",
"Effect": "Deny",
"Principal": "*",
"Action": [
"kms:Encrypt",
"kms:Decrypt"
],
"Condition": {
"StringNotLike": {
"aws:userid": [
"12345",
"AROAADMINROLE",
"AROAADMINROLE:*",
"AIDALAMBDAROLE:*",
"AIDALAMBDAROLE",
"AIDAMYIAMUSER:*",
"AIDAMYIAMUSER"
]
}
}
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::12345:user/my_iam_user",
"arn:aws:iam::12345:role/my_lambda_role"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}